CKEditor 4
Fri, 07/03/2009 - 15:03
#1
fcksecurity
fcksecurity's picture
Joined: 03/07/2009
Posts: 2

FCKEditor and current vulnerability exploited in the Wild

Hello,

Currently attacks occurs using a vulnerabiliy in a vulnerable FCKEditor version of filemanager, as shipped with some ColdFusion servers:
http://isc.sans.org/diary.html?storyid=6715

The vulnerability is about sending a PHP file (as test.php) BUT using a ZIP header as the beginning of the file to bypass the security check, and after put the PHP (or ASP, CFM) code in the file. In this case, the PHP (or ASP, CFM) is evaluated on the server.

This vulnerability is known since October 2008:
http://cve.mitre.org/cgi-bin/cvename.cg ... -2008-6178
http://www.securityfocus.com/bid/31812/info

Unfortunately, as there is no security section on the FCKeditor Web site (sorry if i miss it, in this thanks for the URL), does anyone know if:
- Is this vulnerability fixed in recent FCKEditor versions ?
- Has a patch been distributed ?
- Is it possible to restrict using internal FCKeditor command access to the filemanager connector, instead of disable it for the moment ?

Regards.

Top
Fri, 07/03/2009 - 17:50
wiktor
wiktor's picture
Joined: 16/07/2007
Posts: 1641

Re: FCKEditor and current vulnerability exploited in the Wild

Please use the contact form to send us a message about discovered vulnerabilites.
Whenever security issues are fixed, they are mentioned here: http://www.fckeditor.net/whatsnew.

fcksecurity wrote:
Currently attacks occurs using a vulnerabiliy in a vulnerable FCKEditor version of filemanager, as shipped with some ColdFusion servers:
http://isc.sans.org/diary.html?storyid=6715

Wiktor Walc
CTO, CKSource - http://cksource.com
--
Follow CKEditor on: Twitter | Facebook | Google+

Top
Sun, 07/05/2009 - 23:58
fcksecurity
fcksecurity's picture
Joined: 03/07/2009
Posts: 2

Re: FCKEditor and current vulnerability exploited in the Wild

wiktor wrote:Please use the contact form to send us a message about discovered vulnerabilites.
Whenever security issues are fixed, they are mentioned here: http://www.fckeditor.net/whatsnew.

Top
Mon, 07/06/2009 - 12:36
alfonsoml
alfonsoml's picture
Joined: 31/12/2006
Posts: 3737

Re: FCKEditor and current vulnerability exploited in the Wild

fcksecurity wrote:

- Is it possible to restrict using internal FCKeditor command access to the filemanager connector, instead of disable it for the moment ?

Yes, open fckeditor\editor\filemanager\connectors\config.ext and make sure that enabled is set to true only for users that should have access to it.


Thank you for the tip, this is an interesting workaround waiting for the new FCKEditor version.

Top
Wed, 07/08/2009 - 14:22
johneweb
johneweb's picture
Joined: 08/07/2009
Posts: 1

Re: FCKEditor and current vulnerability exploited in the Wild

Of the steps outlined by alfonsoml, our setup already follows 1-5 however we have not yet upgraded to 2.6.4.1. We are currently running 2.6.4.

That being the case, does the security issue still exist if the file browser is enabled in config.ext yet LinkUpload, ImageUpload and FlashUpload are all disabled in fckconfig.js?

Thanks
Top
Wed, 07/08/2009 - 16:07
alfonsoml
alfonsoml's picture
Joined: 31/12/2006
Posts: 3737

Re: FCKEditor and current vulnerability exploited in the Wild

An attacker won't care about your fckconfig.js, that's just client side code to hide the browse or upload buttons so your users don't have bad expectations, it isn't related to the security at all.
They will go directly against your connector, and if you have left it enabled for everyone, then you are running a high risk.
Top
Twitter Facebook Facebook Instagram Medium Linkedin GitHub Arrow down Phone Menu Close icon Check